Threat actors exploited Meta's artificial intelligence support bot to reset passwords and seize high-profile Instagram accounts this weekend. The compromised accounts included the Obama White House's official Instagram and the Chief Master Sergeant of the U.S. Space Force's account. Both were briefly defaced with pro-Iranian imagery and messaging before Meta regained control.
The attack vector originated from instructions circulating on Telegram that detailed how to manipulate Meta's AI support assistant into executing unauthorized password resets. The bot, designed to assist users with account recovery, became a vector for account takeover when properly manipulated by attackers.
The targeting of government accounts underscores a broader vulnerability in relying on AI-driven support systems without sufficient verification layers. Meta's bot apparently lacked adequate authentication safeguards to prevent bad actors from exploiting the password reset functionality. The defacement with pro-Iranian content suggests potential state-sponsored coordination or ideological motivation rather than opportunistic credential theft.
This incident reveals a tension in customer support automation. AI assistants reduce operational costs and provide faster response times, but they create new attack surfaces when developers fail to implement robust identity verification. The bot should have required multi-factor authentication confirmation, security questions with answers known only to legitimate account owners, or verification through registered email addresses before executing any password changes.
High-profile government accounts attract sophisticated attackers willing to probe security weaknesses for maximum impact. The weekend timing may indicate attackers tested the vulnerability before it received wider distribution, though the circulation on Telegram suggests exploitation at scale became possible quickly.
Meta has not disclosed whether the AI support bot remains vulnerable or what corrective measures it deployed. Organizations relying on Meta's authentication and support systems should review their account security posture. Users with government or high-value accounts should enable the strongest available security settings, including hardware security keys and restricted login locations.